{ "id": "bd57d3dd-8fc8-4ef4-9516-4496aa07080c", "created_at": "2026-04-06T00:17:47.723589Z", "updated_at": "2026-04-10T03:38:03.29084Z", "deleted_at": null, "sha1_hash": "95852397a8c1448e7744a1c79c9fe4bbd3028bd7", "title": "XtremeRAT: Nuisance or Threat? | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2863266, "plain_text": "XtremeRAT: Nuisance or Threat? | Mandiant\r\nBy Mandiant\r\nPublished: 2014-02-19 · Archived: 2026-04-05 15:00:59 UTC\r\nWritten by: Nart Villeneuve, James T. Bennett\r\nRather than building custom malware, many threat actors behind targeted attacks use publicly or commercially available\r\nremote access Trojans (RATs). This pre-built malware has all the functionality needed to conduct cyber espionage and is\r\ncontrolled directly by humans, who have the ability to adapt to network defenses. As a result, the threat posed by these RATs\r\nshould not be underestimated.\r\nHowever, it is difficult to distinguish and correlate the activity of targeted threat actors based solely on their preference to\r\nuse particular malware — especially, freely available malware. From an analyst’s perspective, it is unclear whether these\r\nactors choose to use this type of malware simply out of convenience or in a deliberate effort to blend in with traditional\r\ncybercrime groups, who also use these same tools.\r\nThere are numerous RATs available for free and for purchase in online forums, chat rooms and market places on the\r\nInternet. Most RATs are easy to use and thus attract novices. They are used for a variety of criminal activity, including\r\n“sextortion”. [1] The ubiquity of these RATs makes it difficult to determine if a particular security incident is related to a\r\ntargeted threat, cybercrime or just a novice “script kiddie” causing a nuisance.\r\nAlthough publicly available RATs are used by a variety of operators with different intents, the activity of particular threat\r\nactors can still be tracked by clustering command and control server information as well as the information that is set by the\r\noperators in the builder. These technical indicators, combined with context of an incident (such as the timing, specificity and\r\nhuman activity) allow analysts to assess the targeted or non-targeted nature of the threat.\r\nIn this post, we examine a publicly available RAT known as XtremeRAT. This malware has been used in targeted attacks as\r\nwell as traditional cybercrime. During our investigation we found that the majority of XtremeRAT activity is associated with\r\nspam campaigns that typically distribute Zeus variants and other banking-focused malware. Why have these traditional\r\ncybercrime operators begun to distribute RATs? This seems odd, considering RATs require manual labor as opposed to\r\nautomated banking Trojans.\r\nBased on our observations we propose one or more of the following possible explanations:\r\n1. Smokescreen\r\nThe operations may be part of a targeted attack that seeks to disguise itself and its possible targets, by using spam\r\nservices to launch the attacks.\r\n2. Less traditional tools available\r\nWith more crimeware author arrests and/or disappearance of a number of banking Trojan developers, cybercriminals\r\nare resorting to using RATs to manually steal data, such as banking and credit card details. [2]\r\n3. Complicated defenses require more versatile tools\r\nAs many traditional banking and financial institutions have improved their security practices, perhaps attackers have\r\nhad a much more difficult time developing automation in their Trojans to cover all variations of these defenses; as\r\nsuch, RATs provide more versatility and effectiveness, at the expense of scalability.\r\n4. Casting a wider net\r\nAfter compromising indiscriminate targets, attackers may dig deeper into specific targets of interest and/or sell off the\r\naccess rights of the victims’ systems and their data to others.\r\nThese possible explanations are not mutually exclusive. One or all of them may be factors in explaining this observed\r\nactivity.\r\nXtremeRAT\r\nThe XtremeRAT was developed by “xtremecoder” and has been available since at least 2010. Written in Delphi, the code of\r\nXtremeRAT is shared amongst several other Delphi RAT projects including SpyNet, CyberGate, and Cerberus. The RAT is\r\navailable for free; however, the developer charges 350 Euros for the source code. Unfortunately for xtremecoder, the source\r\ncode has been leaked online. The current version is Xtreme 3.6, however, there are a variety of “private” version of this RAT\r\navailable as well. As such, the official version of this RAT and its many variants are used by a wide variety of actors.\r\nXtremeRAT allows an attacker to:\r\nInteract with the victim via a remote shell\r\nUpload/download files\r\nInteract with the registry\r\nhttps://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html\r\nPage 1 of 8\n\nManipulate running processes and services\r\nCapture images of the desktop\r\nRecord from connected devices, such as a webcam or microphone\r\nMoreover, during the build process, the attacker can specify whether to include keylogging and USB infection functions.\r\nExtracting Intelligence\r\nXtremeRAT contains two components: a “client” and a “server”; however, from the attacker’s perspective, these terms have\r\nreversed meanings. Specifically, according to the author, the “server” component is the malware that resides on victim\r\nendpoints that connect to the “client”, which is operated by the attacker from one or more remote command-and-control\r\n(CnC) systems. Due to this confusing and overloaded terminology, we refer to the “server” as a “backdoor” on the victim\r\nand the “client” as a remote “controller” operated by the attacker.\r\nXtremeRAT backdoors maintain and reference configuration data that was chosen by the attacker at the time they were built.\r\nThis data can contain very useful hints to help group attacks and attribute them to actors, similar to what we have previously\r\ndescribed in our Poison Ivy whitepaper. [3]\r\nSeveral versions of XtremeRAT write this configuration data to disk under %APPDATA%\\Microsoft\\Windows , either directly,\r\nor to a directory named after mutex configured by the attacker. When written to disk, the data is RC4 encrypted with a key\r\nof either \"CYBERGATEPASS\" or \"CONFIG\" for the versions we have analyzed. In both cases, the key is Unicode. The\r\nconfig file has either a “.nfo” or \".cfg\" extension depending on the version. XtremeRAT's key scheduling algorithm (KSA)\r\nimplementation contains a bug wherein it only considers the length of the key string, not including the null bytes between\r\neach character, as is found in these Unicode strings. As a result, it only effectively uses the first half of the key. For example,\r\nthe key “ C\\x00O\\x00N\\x00F\\x00I\\x00G\\x00 ” is 12 bytes long, but the length is calculated as only being 6 bytes long.\r\nBecause of this, the key that is ultimately used is “ C\\x00O\\x00N\\x00 ”.\r\nThe configuration data includes:\r\nName of the installed backdoor file\r\nDirectory under which the backdoor file is installed\r\nWhich process it will inject into (if specified)\r\nCnC information\r\nFTP information for sending stolen keystroke data to\r\nMutex name of the master process,\r\nID and group name which are used by the actors for organizational purposes\r\nBecause the decrypted configuration data can be reliably located in memory (with only slight variations in its structure from\r\nversion to version) and because not all versions of XtremeRAT will write their configuration data to disk, parsing memory\r\ndumps of infected systems is often the ideal method for extracting intelligence.\r\nWe are releasing python scripts we have developed to gather the configuration details for various versions of XtremeRAT\r\nfrom both process memory dumps and the encrypted configuration file on disk. The scripts are available here.\r\nAlso included in this toolset is a script that decrypts and prints the contents of the log file created by XtremeRAT containing\r\nvictim keystroke data. This log file is written to the same directory as the config file and has a “.dat” extension. Curiously,\r\nthis log file is encrypted with a simple two-byte XOR instead of RC4. Later in this blog, we will share some of the\r\nconfiguration details we have extracted during our subsequent analysis.\r\nXtremeRAT Activity\r\nUsing telemetry from the FireEye Dynamic Threat Intelligence (DTI) cloud, we examined 165 XtremeRAT samples from\r\nattacks that primarily hit the following sectors:\r\nEnergy, utilities, and petroleum refining\r\nFinancial Services\r\nHigh-tech\r\nThese incidents include a spectrum of attacks including targeted attacks as well as indiscriminate attacks. Among these\r\nXtremeRAT-based attacks, we found that 4 of the 165 samples were used in targeted attacks against the High-Tech sector by\r\nthreat actors we have called “MoleRats”. [4]\r\nOperation Molerats\r\nIn 2012, XtremeRAT was used against a variety of governments as well as Israeli and Palestinian targets in what was known\r\nas Operation Molerats (the same attackers have also used variants of the Poison Ivy RAT). [5] Upon executing one particular\r\nsample (45142b17abd8a17a5e38305b718f3415), the malware beacons to “test.cable-modem.org” and “idf.blogsite.org”. In\r\nthis particular case, the attacker used XtremeRAT 2.9 within a self-extracting archive that also presents a decoy document to\r\nthe victim, where the decoy content appears to have been copied from a website.\r\nhttps://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html\r\nPage 2 of 8\n\nFigure 1: Contents of SFX archive containing XtremeRAT\r\nFigure 2: SFX settings inside malicious archive\r\nFigure 3: Decoy content presented in malicious archive\r\nFigure 4 shows the controller the attacker uses to interact with systems compromised with XtremeRAT. In this case, it\r\nappears the actor used the ID field to record the type of attack delivered (docx) and the Group field was used to record a\r\n“campaign code” (IDF), which helps the actor keep track of the set of victims that were attacked during this campaign.\r\nhttps://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html\r\nPage 3 of 8\n\nFigure 4: XtremeRAT controller GUI\r\nThe attacker modified the highlighted information at build time. By default, the XtremeRAT controller sets the ID field as\r\n“Server” and Group field as “Servers”, with the default password used to authenticate, connect, and control a compromised\r\nendpoint as “1234567890”.\r\nFigure 5. XtremeRAT controller connection settings\r\nIn the Figure 5, the attacker specified custom CnC servers and ports and changed the default password to “1411”. The\r\nattacker also changed the default process mutex name.\r\nhttps://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html\r\nPage 4 of 8\n\nFigure 6: XtremeRat install settings\r\nBy default, the controller assigns a process mutex name of is “--((Mutex))--” and the attackers changed it to “fdgdfdg”.\r\nThese indicators along with command and control domain names and the IP addresses that they resolve to can be used to\r\ncluster and track this activity over time.\r\nFigure 7: Molerats cluster analysis\r\nThis is a cluster of Molerats activity. In addition to using the password “1411”, the attackers are also using the password\r\n“12345000”. This is a simple way to track the activity of these actors by using both passive DNS data and configuration\r\ninformation extracted from XtremeRAT.\r\nSpam Activity\r\nThe vast majority of XtremeRAT activity clustered around the default password “1234567890” (116 samples). There was\r\noverlap between this large cluster and the second largest one which used the password “123456” (12 samples). The activity\r\nin these two clusters aligns with indicators observed in Spanish language spam runs. The “123456” cluster also contains\r\nspam in the English language, leveraging the recent tragedy in Kenya as a lure. [7]\r\nThe Uranio Cluster\r\nIn our sample set, we have 28 malware samples that connect to a set of sequentially numbered command and control\r\nservers:\r\nuranio.no-ip.biz\r\nhttps://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html\r\nPage 5 of 8\n\nuranio2.no-ip.biz\r\nuranio3.no-ip.biz\r\nuranio4.no-ip.biz\r\nuranio5.no-ip.biz\r\nuranio6.no-ip.biz\r\nuranio7.no-ip.biz\r\nplatino.no-ip.biz\r\nplatino-2.no-ip.biz\r\nplatino-4.no-ip.biz\r\nplatino-5.no-ip.biz\r\nplatino-8.no-ip.biz\r\nplatino-9.no-ip.biz\r\ncometa3.no-ip.biz\r\ncometa4.no-ip.biz\r\nThe malware is being spammed out and has file names such as:\r\nCertificaciones De Pagos Nominas Parafiscales jpg 125420215 58644745574455 .exe\r\nSoportes de pagos certificaciones y documentos mes mayo 30 2013 567888885432235678888888123456.exe\r\nCertificaciones De Pago Y Para Fiscales.exe\r\nWe extracted the configurations for a sampling of the XtremeRAT samples we came across in this spam run and found the\r\nfollowing results:\r\nMD5 ID Group Version Mu\r\na6135a6a6346a460792ce2da285778b1a6135a6a6346a460792ce2da285778b1 ABRILABRIL CmetaS3CmetaS3\r\n3.6 Private3.6\r\nPrivate\r\nC5\r\n988babfeec5111d45d7d7eddea6daf28988babfeec5111d45d7d7eddea6daf28 ABRILABRIL CmetaS3CmetaS3\r\n3.6 Private3.6\r\nPrivate\r\nC5\r\n715f54a077802a0d67e6e7136bcbe340715f54a077802a0d67e6e7136bcbe340 ABRILABRIL CmetaS3CmetaS3\r\n3.6 Private3.6\r\nPrivate\r\nC5\r\n167496763aa8d369ff482c4e2ca3da7d167496763aa8d369ff482c4e2ca3da7d ABRILABRIL CmetaS3CmetaS3\r\n3.6 Private3.6\r\nPrivate\r\nC5\r\n3f288dfa95d90a3cb4503dc5f3d49c163f288dfa95d90a3cb4503dc5f3d49c16 ServerServer Cometa4Cometa4\r\n3.6 Private3.6\r\nPrivate\r\n4Q\r\n6a8057322e62c569924ea034508068c96a8057322e62c569924ea034508068c9 ServerServer Platino4Platino4\r\n3.6 Private3.6\r\nPrivate\r\nmb\r\n37b90673aa83d177767d6289c4b9046837b90673aa83d177767d6289c4b90468 ServerServer Platino4Platino4\r\n3.6 Private3.6\r\nPrivate\r\nmb\r\n98fb1014f6e90290da946fdbca58333498fb1014f6e90290da946fdbca583334 ServerServer Platino8Platino8\r\n3.6 Private3.6\r\nPrivate\r\nG7\r\n5a9547b727f0b4baf9b379328c7970055a9547b727f0b4baf9b379328c797005 ServerServer Platino8Platino8\r\n3.6 Private3.6\r\nPrivate\r\nG7\r\nfb98c8406e316efb0f46024f7c6a6739fb98c8406e316efb0f46024f7c6a6739 ServerServer Platino9Platino9\r\n3.6 Private3.6\r\nPrivate\r\nkU\r\n64f6f819a029956b8aeafb729512b46064f6f819a029956b8aeafb729512b460 ServerServer UranioUranio\r\n3.6 Private3.6\r\nPrivate\r\neY\r\na4c47256a7159f9556375c603647f4c2a4c47256a7159f9556375c603647f4c2 MayoMayo Uranio2011Uranio2011\r\n3.6 Private3.6\r\nPrivate\r\n0pg\r\n62d6e190dcc23e838e11f449c8f9b72362d6e190dcc23e838e11f449c8f9b723 MayoMayo Uranio2011Uranio2011\r\n3.6 Private3.6\r\nPrivate\r\n0pg\r\nd5d99497ebb72f574c9429ecd388a019d5d99497ebb72f574c9429ecd388a019 MayoMayo Uranio2011Uranio2011\r\n3.6 Private3.6\r\nPrivate\r\n0pg\r\n3a9237deaf25851f2511e355f8c506d73a9237deaf25851f2511e355f8c506d7 ServerServer Uranio3Uranio3 1.3.6.161.3.6.16 Qw\r\nc5e95336d52f94772cbdb2a37cef1d33c5e95336d52f94772cbdb2a37cef1d33 ServerServer Uranio3Uranio3 1.3.6.161.3.6.16 Qw\r\nhttps://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html\r\nPage 6 of 8\n\nMD5 ID Group Version Mu\r\n0ea60a5d4c8c629c98726cd3985b63c80ea60a5d4c8c629c98726cd3985b63c8 ServerServer Uranio4Uranio4 1.3.6.161.3.6.16 xjU\r\n41889ca19c18ac59d227590eeb1da21441889ca19c18ac59d227590eeb1da214 ServerServer Uranio4Uranio4 1.3.6.161.3.6.16 xjU\r\n90e11bdbc380c88244bb0152f1142aff90e11bdbc380c88244bb0152f1142aff ServerServer Uranio4Uranio4 1.3.6.161.3.6.16 xjU\r\nc1ad4445f1064195de1d6756950e2ae9c1ad4445f1064195de1d6756950e2ae9 ServerServer Uranio5Uranio5\r\n3.6 Private3.6\r\nPrivate\r\nR9\r\ne5b781ec77472d8d4b3b4a4d2faf5761e5b781ec77472d8d4b3b4a4d2faf5761 ServerServer Uranio6Uranio6\r\n3.6 Private3.6\r\nPrivate\r\nKd\r\na921aa35deedf09fabee767824fd8f7ea921aa35deedf09fabee767824fd8f7e ServerServer Uranio6Uranio6\r\n3.6 Private3.6\r\nPrivate\r\nKd\r\n9a2e510de8a515c9b73efdf3b141f6c29a2e510de8a515c9b73efdf3b141f6c2 CCCC Uranio7Uranio7\r\n3.6 Private3.6\r\nPrivate\r\nUB\r\na6b862f636f625af2abcf5d2edb8aca2a6b862f636f625af2abcf5d2edb8aca2 CCCC Uranio7Uranio7\r\n3.6 Private3.6\r\nPrivate\r\niod\r\n0327859be30fe6a559f28af0f4f603fe0327859be30fe6a559f28af0f4f603fe CCCC Uranio7Uranio7\r\n3.6 Private3.6\r\nPrivate\r\nUB\r\n“Server”, “Servers”, and “--((Mutex))--” are the defaults in the XtremeRAT controller for ID, Group, and Mutex\r\nrespectively. The random mutex names in the table above can be generated by double-clicking in the Mutex field within the\r\ncontroller. In most cases, the number at the end of the group label is the same number used at the end of the subdomain for\r\nthe CnC. In the case of “Uranio2011”, the subdomain is simply “uranio” and 2011 represents the port number used to\r\ncommunicate with the CnC infrastructure.\r\nFigure 8: Portugese version of XtremeRAT controller\r\nUranio Sinkhole Analysis\r\nWe sinkholed uranio2.no-ip.biz between November 22, 2013 and January 6, 2014. During that time, 12000 unique IPs\r\nconnected to the uranio2.no-ip.biz. Recall, that this number reflects only one of many command and control servers. [8]\r\nHowever, estimating the number of victims this way is difficult due to DHCP lease times, which inflate the numbers, and\r\nNAT connections, which deflate the numbers. [9] As such, we counted the unique IP addresses that connected to the sinkhole\r\non each day. The highest number of connections to this sinkhole was on Dec. 3, 2013 with 2003 connections and the lowest\r\nwas Jan. 6, 2014 with 109 connections. The average number of unique IP addresses that connected to the sinkhole per day\r\nwas 657.\r\nWhile these IP addresses were in ranges assigned to 40 distinct countries, the vast majority of the connections to the\r\nsinkhole (92.7 percent) were from Colombia. Argentina was a distant second with 1.22 percent, followed by Venezuela with\r\n1.02 percent, Egypt with 0.95 percent and the U.S. with 0.9 percent.\r\nConclusion\r\nhttps://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html\r\nPage 7 of 8\n\nDetermining the activity of targeted threat actors is difficult. Most of the activity associated with publicly available RATs is\r\ntraditional cybercrime associated with spam runs, banking Trojans and malware distribution. However, useful indicators can\r\nbe extracted from these ubiquitous RATs to track the activities of targeted threat actors (as well as cybercrime).\r\nTools\r\nXtreme RAT\r\nNotes:\r\n1. http://arstechnica.com/tech-policy/2013/09/miss-teen-usas-webcam-spy-called-himself-cutefuzzypuppy/\r\nhttp://arstechnica.com/tech-policy/2011/09/how-an-omniscient-internet-sextortionist-ruined-lives/\r\n2. The group behind the Carberp banking Trojan were arrested http://www.techweekeurope.co.uk/news/carberp-botnet-leader-arrested-112205, the author of Zeus retired, http://krebsonsecurity.com/2010/10/spyeye-v-zeus-rivalry-ends-in-quiet-merger/, the author of SpyEye went into hiding http://www.xylibox.com/2012/03/behind-spyeye-gribodemon.html and was\r\nrecently arrested http://www.wired.com/threatlevel/2014/01/spy-eye-author-guilty-plea/, FBI and Microsoft have gone after\r\nCitadel which is not off the market https://blogs.rsa.com/citadels-steward-banned-from-undergorund-venues/\r\nhttp://www.microsoft.com/en-us/news/press/2013/jun13/06-05dcupr.aspx and an overview of the “Big 4” banking Trojans\r\nhttp://blog.kaspersky.com/the-big-four-banking-trojans/\r\n3. /content/dam/legacy/resources/pdfs/fireeye-poison-ivy-report.pdf\r\n4. http://www.fireeye.com/blog/technical/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html\r\n5. http://blog.trendmicro.com/trendlabs-security-intelligence/new-xtreme-rat-attacks-on-usisrael-and-other-foreign-governments/ http://download01.norman.no/whitepapers/Cyberattack_against_Israeli_and_Palestinian_targets.pdf\r\nhttp://www.fireeye.com/blog/technical/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html\r\n6. http://tools.cisco.com/security/center/viewThreatOutbreakAlert.x?alertId=30825\r\n7. http://www.symantec.com/connect/blogs/spammers-use-kenya-terrorist-attack-spread-malware\r\n8. We filtered out all non-XtremeRAT traffic and ensured that each of the 12000 IPs attempted to make an XtremeRAT\r\nconnection.\r\n9. https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/rajab/rajab.pdf\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html\r\nhttps://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html" ], "report_names": [ "xtremerat-nuisance-or-threat.html" ], "threat_actors": [ { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434667, "ts_updated_at": 1775792283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/95852397a8c1448e7744a1c79c9fe4bbd3028bd7.pdf", "text": "https://archive.orkl.eu/95852397a8c1448e7744a1c79c9fe4bbd3028bd7.txt", "img": "https://archive.orkl.eu/95852397a8c1448e7744a1c79c9fe4bbd3028bd7.jpg" } }